-{ lib, pkgs, myconfig, config, ... }:
+{ lib, pkgs, config, ... }:
let
- cfg = myconfig.env.backup;
+ cfg = config.myEnv.backup;
varDir = "/var/lib/duply";
duplyProfile = profile: prefix: ''
GPG_PW="${cfg.password}"
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
varDir = "/var/lib/buildbot";
buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
services.duplyBackup.profiles.buildbot = {
rootDir = varDir;
};
- ids.uids.buildbot = myconfig.env.buildbot.user.uid;
- ids.gids.buildbot = myconfig.env.buildbot.user.gid;
+ ids.uids.buildbot = config.myEnv.buildbot.user.uid;
+ ids.gids.buildbot = config.myEnv.buildbot.user.gid;
users.groups.buildbot.gid = config.ids.gids.buildbot;
users.users.buildbot = {
services.websites.env.tools.watchPaths = lib.attrsets.mapAttrsToList
(k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include")
- myconfig.env.buildbot.projects;
+ config.myEnv.buildbot.projects;
services.websites.env.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
Include /var/secrets/buildbot/${project.name}/webhook-httpd-include
</RequireAny>
</Location>
- '') myconfig.env.buildbot.projects;
+ '') config.myEnv.buildbot.projects;
system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
deps = [ "users" "wrappers" ];
${project.activationScript}
'';
- }) myconfig.env.buildbot.projects;
+ }) config.myEnv.buildbot.projects;
secrets.keys = (
lib.lists.flatten (
permissions = "0600";
user = "wwwrun";
group = "wwwrun";
- text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) ''
+ text = lib.optionalString (project.webhookTokens != null) ''
Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
'';
dest = "buildbot/${project.name}/webhook-httpd-include";
}
]
- ) myconfig.env.buildbot.projects
+ ) config.myEnv.buildbot.projects
)
) ++ [
{
permissions = "0600";
user = "buildbot";
group = "buildbot";
- text = myconfig.env.buildbot.ldap.password;
+ text = config.myEnv.buildbot.ldap.password;
dest = "buildbot/ldap";
}
{
permissions = "0600";
user = "buildbot";
group = "buildbot";
- text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key";
+ text = builtins.readFile "${config.myEnv.privateFiles}/buildbot_ssh_key";
dest = "buildbot/ssh_key";
}
];
"/var/secrets/buildbot/ldap"
"/var/secrets/buildbot/ssh_key"
] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
- }) myconfig.env.buildbot.projects;
+ }) config.myEnv.buildbot.projects;
systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
description = "Buildbot Continuous Integration Server ${project.name}.";
WorkingDirectory = "${varDir}/${project.name}";
ExecStart = "${buildbot}/bin/buildbot start";
};
- }) myconfig.env.buildbot.projects;
+ }) config.myEnv.buildbot.projects;
};
}
-{ lib, config, myconfig, nodes, ... }:
+{ lib, config, nodes, ... }:
let
cfg = config.myServices.databases;
in
mariadb = {
enable = true;
ldapConfig = {
- inherit (myconfig.env.ldap) host base;
- inherit (myconfig.env.databases.mysql.pam) dn filter password;
+ inherit (config.myEnv.ldap) host base;
+ inherit (config.myEnv.databases.mysql.pam) dn filter password;
};
replicationLdapConfig = {
- inherit (myconfig.env.ldap) host base;
- inherit (myconfig.env.ldap.eldiron) dn password;
+ inherit (config.myEnv.ldap) host base;
+ inherit (config.myEnv.servers.eldiron.ldap) dn password;
};
- credentials.root = myconfig.env.databases.mysql.systemUsers.root;
+ credentials.root = config.myEnv.databases.mysql.systemUsers.root;
};
openldap = {
- accessFile = "${myconfig.privateFiles}/ldap.conf";
- baseDn = myconfig.env.ldap.base;
- rootDn = myconfig.env.ldap.root_dn;
- rootPw = myconfig.env.ldap.root_pw;
+ accessFile = "${config.myEnv.privateFiles}/ldap.conf";
+ baseDn = config.myEnv.ldap.base;
+ rootDn = config.myEnv.ldap.root_dn;
+ rootPw = config.myEnv.ldap.root_pw;
enable = true;
};
postgresql = {
ldapConfig = {
- inherit (myconfig.env.ldap) host base;
- inherit (myconfig.env.databases.postgresql.pam) dn filter password;
+ inherit (config.myEnv.ldap) host base;
+ inherit (config.myEnv.databases.postgresql.pam) dn filter password;
};
replicationLdapConfig = {
- inherit (myconfig.env.ldap) host base;
- inherit (myconfig.env.ldap.eldiron) dn password;
+ inherit (config.myEnv.ldap) host base;
+ inherit (config.myEnv.servers.eldiron.ldap) dn password;
};
authorizedHosts = {
immaeEu = [{
ip4 = [
- myconfig.env.servers.immaeEu.ips.main.ip4
- myconfig.env.servers.immaeEu.ips.alt.ip4
+ config.myEnv.servers.immaeEu.ips.main.ip4
+ config.myEnv.servers.immaeEu.ips.alt.ip4
];
}];
};
replicationHosts = {
backup-1 = {
- ip4 = [myconfig.env.servers.backup-1.ips.main.ip4];
- ip6 = myconfig.env.servers.backup-1.ips.main.ip6;
+ ip4 = [config.myEnv.servers.backup-1.ips.main.ip4];
+ ip6 = config.myEnv.servers.backup-1.ips.main.ip6;
};
backup-2 = {
- ip4 = [myconfig.env.servers.backup-2.ips.main.ip4];
- ip6 = myconfig.env.servers.backup-2.ips.main.ip6;
+ ip4 = [config.myEnv.servers.backup-2.ips.main.ip4];
+ ip6 = config.myEnv.servers.backup-2.ips.main.ip6;
};
};
enable = true;
-{ pkgs, config, myconfig, lib, ... }:
+{ pkgs, config, lib, ... }:
let
cfg = config.myServices.databasesReplication.openldap;
eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
-{ lib, config, pkgs, myconfig, ... }:
+{ lib, config, pkgs, ... }:
let
cfg = config.myServices.databases.redis;
in {
WorkerThreads 1
Authority {
- Auth "${myconfig.env.databases.redis.predixy.read}" {
+ Auth "${config.myEnv.databases.redis.predixy.read}" {
Mode read
}
}
Databases 16
RefreshMethod fixed
Group shard001 {
- + ${myconfig.env.databases.redis.socket}
+ + ${config.myEnv.databases.redis.socket}
}
}
'';
user = "spiped";
group = "spiped";
permissions = "0400";
- text = myconfig.env.databases.redis.spiped_key;
+ text = config.myEnv.databases.redis.spiped_key;
}
];
-{ pkgs, config, myconfig, lib, ... }:
+{ pkgs, config, lib, ... }:
let
cfg = config.myServices.databasesReplication.redis;
in
config.redis = {
encrypt = true;
source = "127.0.0.1:16379";
- target = "${myconfig.env.servers.eldiron.ips.main.ip4}:16379";
+ target = "${config.myEnv.servers.eldiron.ips.main.ip4}:16379";
keyfile = "${config.secrets.location}/redis/spiped_eldiron_keyfile";
};
};
user = "spiped";
group = "spiped";
permissions = "0400";
- text = myconfig.env.databases.redis.spiped_key;
+ text = config.myEnv.databases.redis.spiped_key;
}
];
ssh = ./ssh;
monitoring = ./monitoring;
+ environment = ./environment.nix;
system = ./system.nix;
};
in
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
options.myServices.dns.enable = lib.mkEnableOption "enable DNS resolver";
config = let
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
- notify-source ${myconfig.env.servers.eldiron.ips.main.ip4};
- notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
+ notify-source ${config.myEnv.servers.eldiron.ips.main.ip4};
+ notify-source-v6 ${lib.head config.myEnv.servers.eldiron.ips.main.ip6};
version none;
hostname none;
server-id none;
'';
- zones = with myconfig.env.dns;
+ zones = with config.myEnv.dns;
assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != ".";
assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != ".";
(map (conf: {
${conf.entries}
${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
- mx-1 IN A ${myconfig.env.servers.eldiron.ips.main.ip4}
- mx-2 IN A ${myconfig.env.servers.immaeEu.ips.main.ip4}
- ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)}
- ${builtins.concatStringsSep "\n" (map (i: "mx-2 IN AAAA ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
+ mx-1 IN A ${config.myEnv.servers.eldiron.ips.main.ip4}
+ mx-2 IN A ${config.myEnv.servers.immaeEu.ips.main.ip4}
+ ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)}
+ ${builtins.concatStringsSep "\n" (map (i: "mx-2 IN AAAA ${i}") config.myEnv.servers.immaeEu.ips.main.ip6)}
${lib.concatStringsSep "\n\n" (map (e:
let
n = if e.domain == "" then "@" else "${e.domain} ";
; https://support.google.com/a/answer/9261504
_mta-sts${suffix} IN TXT "v=STSv1;id=20190630054629Z"
_smtp._tls${suffix} IN TXT "v=TLSRPTv1;rua=mailto:postmaster+mta-sts@immae.eu"
- mta-sts${suffix} IN A ${myconfig.env.servers.eldiron.ips.main.ip4}
- ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") myconfig.env.servers.eldiron.ips.main.ip6)}
+ mta-sts${suffix} IN A ${config.myEnv.servers.eldiron.ips.main.ip4}
+ ${builtins.concatStringsSep "\n" (map (i: "mta-sts${suffix} IN AAAA ${i}") config.myEnv.servers.eldiron.ips.main.ip6)}
; Mail sender authentications
${n} IN TXT "v=spf1 mx ~all"
immae_eu._domainkey${suffix} IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
"0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
- eldiron._domainkey${suffix} IN TXT ${myconfig.env.mail.dkim.eldiron.public}
+ eldiron._domainkey${suffix} IN TXT ${config.myEnv.mail.dkim.eldiron.public}
'' else ""}
'') conf.withEmail)}
'' + (if conf.name == "immae.eu" then ''
--- /dev/null
+{ lib, ... }:
+with lib;
+with types;
+with lists;
+let
+ ldapOptions = {
+ base = mkOption { description = "Base of the LDAP tree"; type = str; };
+ host = mkOption { description = "Host to access LDAP"; type = str; };
+ root_dn = mkOption { description = "DN of the root user"; type = str; };
+ root_pw = mkOption { description = "Hashed password of the root user"; type = str; };
+ replication_dn = mkOption { description = "DN of the user allowed to replicate the LDAP directory"; type = str; };
+ replication_pw = mkOption { description = "Password of the user allowed to replicate the LDAP directory"; type = str; };
+ };
+ mkLdapOptions = name: more: mkOption {
+ description = "${name} LDAP configuration";
+ type = submodule {
+ options = ldapOptions // {
+ dn = mkOption { description = "DN of the ${name} user"; type = str; };
+ password = mkOption { description = "password of the ${name} user"; type = str; };
+ filter = mkOption { description = "Filter for ${name} users"; type = str; default = ""; };
+ } // more;
+ };
+ };
+ mysqlOptions = {
+ host = mkOption { description = "Host to access Mysql"; type = str; };
+ port = mkOption { description = "Port to access Mysql"; type = str; };
+ socket = mkOption { description = "Socket to access Mysql"; type = path; };
+ systemUsers = mkOption {
+ description = "Attrs of user-passwords allowed to access mysql";
+ type = attrsOf str;
+ };
+ pam = mkOption {
+ description = "PAM configuration for mysql";
+ type = submodule {
+ options = {
+ dn = mkOption { description = "DN to connect as to check users"; type = str; };
+ password = mkOption { description = "DN password to connect as to check users"; type = str; };
+ filter = mkOption { description = "filter to match users"; type = str; };
+ };
+ };
+ };
+ };
+ mkMysqlOptions = name: mkOption {
+ description = "${name} mysql configuration";
+ type = submodule {
+ options = mysqlOptions // {
+ database = mkOption { description = "${name} database"; type = str; };
+ user = mkOption { description = "${name} user"; type = str; };
+ password = mkOption { description = "mysql password of the ${name} user"; type = str; };
+ };
+ };
+ };
+ psqlOptions = {
+ host = mkOption { description = "Host to access Postgresql"; type = str; };
+ port = mkOption { description = "Port to access Postgresql"; type = str; };
+ socket = mkOption { description = "Socket to access Postgresql"; type = path; };
+ pam = mkOption {
+ description = "PAM configuration for psql";
+ type = submodule {
+ options = {
+ dn = mkOption { description = "DN to connect as to check users"; type = str; };
+ password = mkOption { description = "DN password to connect as to check users"; type = str; };
+ filter = mkOption { description = "filter to match users"; type = str; };
+ };
+ };
+ };
+ };
+ mkPsqlOptions = name: mkOption {
+ description = "${name} psql configuration";
+ type = submodule {
+ options = psqlOptions // {
+ database = mkOption { description = "${name} database"; type = str; };
+ schema = mkOption { description = "${name} schema"; type = nullOr str; default = null; };
+ user = mkOption { description = "${name} user"; type = str; };
+ password = mkOption { description = "psql password of the ${name} user"; type = str; };
+ };
+ };
+ };
+ redisOptions = {
+ host = mkOption { description = "Host to access Redis"; type = str; };
+ port = mkOption { description = "Port to access Redis"; type = str; };
+ socket = mkOption { description = "Socket to access Redis"; type = path; };
+ dbs = mkOption {
+ description = "Attrs of db number. Each number should be unique to avoid collision!";
+ type = attrsOf str;
+ };
+ spiped_key = mkOption {
+ type = str;
+ description = ''
+ Key to use with spiped to make a secure channel to replication
+ '';
+ };
+ predixy = mkOption {
+ description = "Predixy configuration. Unused yet";
+ type = submodule {
+ options = {
+ read = mkOption { type = str; description = "Read password"; };
+ };
+ };
+ };
+ };
+ mkRedisOptions = name: mkOption {
+ description = "${name} redis configuration";
+ type = submodule {
+ options = redisOptions // {
+ db = mkOption { description = "${name} database"; type = str; };
+ };
+ };
+ };
+in
+{
+ options.myEnv = {
+ servers = mkOption {
+ description = ''
+ Attrs of servers information in the cluster (not necessarily handled by nixops)
+ '';
+ default = {};
+ type = attrsOf (submodule {
+ options = {
+ ldap = mkOption {
+ description = ''
+ LDAP credentials for the host
+ '';
+ type = submodule {
+ options = {
+ password = mkOption { type = string; description = "Password for the LDAP connection"; };
+ dn = mkOption { type = string; description = "DN for the LDAP connection"; };
+ };
+ };
+ };
+ ips = mkOption {
+ description = ''
+ attrs of ip4/ip6 grouped by section
+ '';
+ type = attrsOf (submodule {
+ options = {
+ ip4 = mkOption {
+ type = string;
+ description = ''
+ ip4 address of the host
+ '';
+ };
+ ip6 = mkOption {
+ type = listOf string;
+ default = [];
+ description = ''
+ ip6 addresses of the host
+ '';
+ };
+ };
+ });
+ };
+ };
+ });
+ };
+ hetznerCloud = mkOption {
+ description = ''
+ Hetzner Cloud credential information
+ '';
+ type = submodule {
+ options = {
+ authToken = mkOption {
+ type = str;
+ description = ''
+ The API auth token.
+ '';
+ };
+ };
+ };
+ };
+ hetzner = mkOption {
+ description = ''
+ Hetzner credential information
+ '';
+ type = submodule {
+ options = {
+ user = mkOption { type = str; description = "User"; };
+ pass = mkOption { type = str; description = "Password"; };
+ };
+ };
+ };
+ sshd = mkOption {
+ description = ''
+ sshd service credential information
+ '';
+ type = submodule {
+ options = {
+ ldap = mkOption {
+ description = ''
+ LDAP credentials for cn=ssh,ou=services,dc=immae,dc=eu dn
+ '';
+ type = submodule {
+ options = {
+ password = mkOption { description = "Password"; type = str; };
+ };
+ };
+ };
+ };
+ };
+ };
+ ports = mkOption {
+ description = ''
+ non-standard reserved ports. Must be unique!
+ '';
+ type = attrsOf port;
+ default = {};
+ apply = let
+ noDupl = x: builtins.length (builtins.attrValues x) == builtins.length (unique (builtins.attrValues x));
+ in
+ x: if isAttrs x && noDupl x then x else throw "Non unique values for ports";
+ };
+ httpd = mkOption {
+ description = ''
+ httpd service credential information
+ '';
+ type = submodule {
+ options = {
+ ldap = mkOption {
+ description = ''
+ LDAP credentials for cn=httpd,ou=services,dc=immae,dc=eu dn
+ '';
+ type = submodule {
+ options = {
+ password = mkOption { description = "Password"; type = str; };
+ };
+ };
+ };
+ };
+ };
+ };
+ ldap = mkOption {
+ description = ''
+ LDAP server configuration
+ '';
+ type = submodule {
+ options = ldapOptions;
+ };
+ };
+ databases = mkOption {
+ description = "Databases configuration";
+ type = submodule {
+ options = {
+ mysql = mkOption {
+ type = submodule { options = mysqlOptions; };
+ description = "Mysql configuration";
+ };
+ redis = mkOption {
+ type = submodule { options = redisOptions; };
+ description = "Redis configuration";
+ };
+ postgresql = mkOption {
+ type = submodule { options = psqlOptions; };
+ description = "Postgresql configuration";
+ };
+ };
+ };
+ };
+ jabber = mkOption {
+ description = "Jabber configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "Jabber" {};
+ postgresql = mkPsqlOptions "Jabber";
+ };
+ };
+ };
+ users = mkOption {
+ description = "System and regular users uid/gid";
+ type = attrsOf (submodule {
+ options = {
+ uid = mkOption {
+ description = "user uid";
+ type = int;
+ };
+ gid = mkOption {
+ description = "user gid";
+ type = int;
+ };
+ };
+ });
+ };
+ dns = mkOption {
+ description = "DNS configuration";
+ type = submodule {
+ options = {
+ soa = mkOption {
+ description = "SOA information";
+ type = submodule {
+ options = {
+ serial = mkOption {
+ description = "Serial number. Should be incremented at each change and unique";
+ type = str;
+ };
+ refresh = mkOption {
+ description = "Refresh time";
+ type = str;
+ };
+ retry = mkOption {
+ description = "Retry time";
+ type = str;
+ };
+ expire = mkOption {
+ description = "Expire time";
+ type = str;
+ };
+ ttl = mkOption {
+ description = "Default TTL time";
+ type = str;
+ };
+ email = mkOption {
+ description = "hostmaster e-mail";
+ type = str;
+ };
+ primary = mkOption {
+ description = "Primary NS";
+ type = str;
+ };
+ };
+ };
+ };
+ ns = mkOption {
+ description = "Attrs of NS servers group";
+ example = {
+ foo = {
+ "ns1.foo.com" = [ "198.51.100.10" "2001:db8:abcd::1" ];
+ "ns2.foo.com" = [ "198.51.100.15" "2001:db8:1234::1" ];
+ };
+ };
+ type = attrsOf (attrsOf (listOf str));
+ };
+ slaveZones = mkOption {
+ description = "List of slave zones";
+ type = listOf (submodule {
+ options = {
+ name = mkOption { type = str; description = "zone name"; };
+ masters = mkOption {
+ description = "NS master groups of this zone";
+ type = listOf str;
+ };
+ };
+ });
+ };
+ masterZones = mkOption {
+ description = "List of master zones";
+ type = listOf (submodule {
+ options = {
+ name = mkOption { type = str; description = "zone name"; };
+ slaves = mkOption {
+ description = "NS slave groups of this zone";
+ type = listOf str;
+ };
+ ns = mkOption {
+ description = "groups names that should have their NS entries listed here";
+ type = listOf str;
+ };
+ extra = mkOption {
+ description = "Extra zone configuration for bind";
+ example = ''
+ notify yes;
+ '';
+ type = lines;
+ };
+ entries = mkOption { type = lines; description = "Regular entries of the NS zone"; };
+ withEmail = mkOption {
+ description = "List of domains that should have mail entries (MX, dkim, SPF, ...)";
+ default = [];
+ type = listOf (submodule {
+ options = {
+ domain = mkOption { type = str; description = "Which subdomain is concerned"; };
+ send = mkOption { type = bool; description = "Whether there can be e-mails originating from the subdomain"; };
+ receive = mkOption { type = bool; description = "Whether there can be e-mails arriving to the subdomain"; };
+ };
+ });
+ };
+ };
+ });
+ };
+ };
+ };
+ };
+ backup = mkOption {
+ description = ''
+ Remote backup with duplicity
+ '';
+ type = submodule {
+ options = {
+ password = mkOption { type = str; description = "Password for encrypting files"; };
+ remote = mkOption { type = str; description = "Remote url access"; };
+ accessKeyId = mkOption { type = str; description = "Remote access-key"; };
+ secretAccessKey = mkOption { type = str; description = "Remote access secret"; };
+ };
+ };
+ };
+ rsync_backup = mkOption {
+ description =''
+ Rsync backup configuration from controlled host
+ '';
+ type = submodule {
+ options = {
+ mailto = mkOption { type = str; description = "Where to e-mail on error"; };
+ ssh_key = mkOption {
+ description = "SSH key information";
+ type = submodule {
+ options = {
+ public = mkOption { type = str; description = "Public part of the key"; };
+ private = mkOption { type = lines; description = "Private part of the key"; };
+ };
+ };
+ };
+ profiles = mkOption {
+ description = "Attrs of profiles to backup";
+ type = attrsOf (submodule {
+ options = {
+ keep = mkOption { type = int; description = "Number of backups to keep"; };
+ login = mkOption { type = str; description = "Login to connect to host"; };
+ port = mkOption { type = str; default = "22"; description = "Port to connect to host"; };
+ host = mkOption { type = str; description = "Host to connect to"; };
+ host_key = mkOption { type = str; description = "Host key"; };
+ host_key_type = mkOption { type = str; description = "Host key type"; };
+ parts = mkOption {
+ description = "Parts to backup for this host";
+ type = attrsOf (submodule {
+ options = {
+ remote_folder = mkOption { type = path; description = "Remote folder to backup";};
+ exclude_from = mkOption {
+ type = listOf path;
+ default = [];
+ description = "List of folders/files to exclude from the backup";
+ };
+ files_from = mkOption {
+ type = listOf path;
+ default = [];
+ description = "List of folders/files to backup in the base folder";
+ };
+ args = mkOption {
+ type = nullOr str;
+ default = null;
+ description = "Extra arguments to pass to rsync";
+ };
+ };
+ });
+ };
+ };
+ });
+ };
+ };
+ };
+ };
+ monitoring = mkOption {
+ description = "Monitoring configuration";
+ type = submodule {
+ options = {
+ status_url = mkOption { type = str; description = "URL to push status to"; };
+ status_token = mkOption { type = str; description = "Token for the status url"; };
+ email = mkOption { type = str; description = "Admin E-mail"; };
+ };
+ };
+ };
+ mpd = mkOption {
+ description = "MPD configuration";
+ type = submodule {
+ options = {
+ folder = mkOption { type = str; description = "Folder to serve from the MPD instance"; };
+ password = mkOption { type = str; description = "Password to connect to the MPD instance"; };
+ host = mkOption { type = str; description = "Host to connect to the MPD instance"; };
+ port = mkOption { type = str; description = "Port to connect to the MPD instance"; };
+ };
+ };
+ };
+ ftp = mkOption {
+ description = "FTP configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "FTP" {};
+ };
+ };
+ };
+ mail = mkOption {
+ description = "Mail configuration";
+ type = submodule {
+ options = {
+ dmarc = mkOption {
+ description = "DMARC configuration";
+ type = submodule {
+ options = {
+ ignore_hosts = mkOption {
+ type = lines;
+ description = ''
+ Hosts to ignore when checking for dmarc
+ '';
+ };
+ };
+ };
+ };
+ dkim = mkOption {
+ description = "DKIM configuration";
+ type = attrsOf (submodule {
+ options = {
+ public = mkOption {
+ type = str;
+ example = ''
+ ( "v=DKIM1; k=rsa; "
+ "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3w1a2aMxWw9+hdcmbqX4UevcVqr204y0K73Wdc7MPZiOOlUJQYsMNSYR1Y/SC7jmPKeitpcJCpQgn/cveJZbuikjjPLsDReHyFEYmC278ZLRTELHx6f1IXM8WE08JIRT69CfZiMi1rVcOh9qRT4F93PyjCauU8Y5hJjtg9ThsWwIDAQAB" )
+ '';
+ description = "Public entry to put in DNS TXT field";
+ };
+ private = mkOption { type = str; description = "Private key"; };
+ };
+ });
+ };
+ postfix = mkOption {
+ description = "Postfix configuration";
+ type = submodule {
+ options = {
+ additional_mailbox_domains = mkOption {
+ description = ''
+ List of domains that are used as mailbox final destination, in addition to those defined in the DNS records
+ '';
+ type = listOf str;
+ };
+ mysql = mkMysqlOptions "Postfix";
+ backup_domains = mkOption {
+ description = ''
+ Domains that are accepted for relay as backup domain
+ '';
+ type = attrsOf (submodule {
+ options = {
+ domains = mkOption { type = listOf str; description = "Domains list"; };
+ relay_restrictions = mkOption {
+ type = lines;
+ description = ''
+ Restrictions for relaying the e-mails from the domains
+ '';
+ };
+ recipient_maps = mkOption {
+ description = ''
+ Recipient map to accept relay for.
+ Must be specified for domain, the rules apply to everyone!
+ '';
+ type = listOf (submodule {
+ options = {
+ type = mkOption {
+ type = enum [ "hash" ];
+ description = "Map type";
+ };
+ content = mkOption {
+ type = str;
+ description = "Map content";
+ };
+ };
+ });
+ };
+ };
+ });
+ };
+ };
+ };
+ };
+ dovecot = mkOption {
+ description = "Dovecot configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "Dovecot" {
+ pass_attrs = mkOption { type = str; description = "Password attribute in LDAP"; };
+ user_attrs = mkOption { type = str; description = "User attribute mapping in LDAP"; };
+ iterate_attrs = mkOption { type = str; description = "User attribute mapping for listing in LDAP"; };
+ iterate_filter = mkOption { type = str; description = "User attribute filter for listing in LDAP"; };
+ };
+ };
+ };
+ };
+ rspamd = mkOption {
+ description = "rspamd configuration";
+ type = submodule {
+ options = {
+ redis = mkRedisOptions "Redis";
+ read_password_hashed = mkOption { type = str; description = "Hashed read password for rspamd"; };
+ write_password_hashed = mkOption { type = str; description = "Hashed write password for rspamd"; };
+ read_password = mkOption {
+ type = str;
+ description = "Read password for rspamd. Unused";
+ apply = x: "";
+ };
+ write_password = mkOption {
+ type = str;
+ description = "Write password for rspamd. Unused";
+ apply = x: "";
+ };
+ };
+ };
+ };
+ scripts = mkOption {
+ description = "Mail script recipients";
+ type = attrsOf (submodule {
+ options = {
+ src = mkOption {
+ description = ''
+ git source to fetch the script from.
+ It must have a default.nix file as its root accepting a scriptEnv parameter
+ '';
+ type = submodule {
+ options = {
+ url = mkOption { type = str; description = "git url to fetch"; };
+ rev = mkOption { type = str; description = "git reference to fetch"; };
+ };
+ };
+ };
+ env = mkOption {
+ description = "Variables to pass to the script";
+ type = unspecified;
+ };
+ };
+ });
+ };
+ };
+ };
+ };
+ buildbot = mkOption {
+ description = "Buildbot configuration";
+ type = submodule {
+ options = {
+ user = mkOption {
+ description = "Buildbot user";
+ type = submodule {
+ options = {
+ uid = mkOption {
+ description = "user uid";
+ type = int;
+ };
+ gid = mkOption {
+ description = "user gid";
+ type = int;
+ };
+ };
+ };
+ };
+ ldap = mkOption {
+ description = "Ldap configuration for buildbot";
+ type = submodule {
+ options = {
+ password = mkOption { type = str; description = "Buildbot password"; };
+ };
+ };
+ };
+ projects = mkOption {
+ description = "Projects to make a buildbot for";
+ type = attrsOf (submodule {
+ options = {
+ name = mkOption { type = str; description = "Project name"; };
+ packages = mkOption {
+ type = unspecified;
+ example = literalExample ''
+ pkgs: [ pkgs.bash pkgs.git pkgs.gzip pkgs.openssh ];
+ '';
+ description = ''
+ Function.
+ Builds packages list to make available to buildbot project.
+ Takes pkgs as argument.
+ '';
+ };
+ pythonPackages = mkOption {
+ type = unspecified;
+ example = literalExample ''
+ p: pkgs: [ pkgs.python3Packages.pip ];
+ '';
+ description = ''
+ Function.
+ Builds python packages list to make available to buildbot project.
+ Takes buildbot python module as first argument and pkgs as second argument in order to augment the python modules list.
+ '';
+ };
+ pythonPathHome = mkOption { type = bool; description = "Whether to add project’s python home to python path"; };
+ secrets = mkOption {
+ type = attrsOf str;
+ description = "Secrets for the project to dump as files";
+ };
+ environment = mkOption {
+ type = attrsOf str;
+ description = ''
+ Environment variables for the project.
+ BUILDBOT_ is prefixed to the variable names
+ '';
+ };
+ activationScript = mkOption {
+ type = lines;
+ description = ''
+ Activation script to run during deployment
+ '';
+ };
+ builderPaths = mkOption {
+ type = attrsOf unspecified;
+ default = {};
+ description = ''
+ Attrs of functions to make accessible specifically per builder.
+ Takes pkgs as argument and should return a single path containing binaries.
+ This path will be accessible as BUILDBOT_PATH_<attrskey>
+ '';
+ };
+ webhookTokens = mkOption {
+ type = nullOr (listOf str);
+ default = null;
+ description = ''
+ List of tokens allowed to push to project’s change_hook/base endpoint
+ '';
+ };
+ };
+ });
+ };
+ };
+ };
+ };
+ tools = mkOption {
+ description = "Tools configurations";
+ type = submodule {
+ options = {
+ davical = mkOption {
+ description = "Davical configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Davical";
+ ldap = mkLdapOptions "Davical" {};
+ };
+ };
+ };
+ diaspora = mkOption {
+ description = "Diaspora configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Diaspora";
+ redis = mkRedisOptions "Diaspora";
+ ldap = mkLdapOptions "Diaspora" {};
+ secret_token = mkOption { type = str; description = "Secret token"; };
+ };
+ };
+ };
+ etherpad-lite = mkOption {
+ description = "Etherpad configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Etherpad";
+ ldap = mkLdapOptions "Etherpad" {
+ group_filter = mkOption { type = str; description = "Filter for groups"; };
+ };
+ session_key = mkOption { type = str; description = "Session key"; };
+ api_key = mkOption { type = str; description = "API key"; };
+ redirects = mkOption { type = str; description = "Redirects for apache"; };
+ };
+ };
+ };
+ gitolite = mkOption {
+ description = "Gitolite configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "Gitolite" {};
+ };
+ };
+ };
+ kanboard = mkOption {
+ description = "Kanboard configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Kanboard";
+ ldap = mkLdapOptions "Kanboard" {
+ admin_dn = mkOption { type = str; description = "Admin DN"; };
+ };
+ };
+ };
+ };
+ mantisbt = mkOption {
+ description = "Mantisbt configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Mantisbt";
+ ldap = mkLdapOptions "Mantisbt" {};
+ master_salt = mkOption { type = str; description = "Master salt for password hash"; };
+ };
+ };
+ };
+ mastodon = mkOption {
+ description = "Mastodon configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Mastodon";
+ redis = mkRedisOptions "Mastodon";
+ ldap = mkLdapOptions "Mastodon" {};
+ paperclip_secret = mkOption { type = str; description = "Paperclip secret"; };
+ otp_secret = mkOption { type = str; description = "OTP secret"; };
+ secret_key_base = mkOption { type = str; description = "Secret key base"; };
+ vapid = mkOption {
+ description = "vapid key";
+ type = submodule {
+ options = {
+ private = mkOption { type = str; description = "Private key"; };
+ public = mkOption { type = str; description = "Public key"; };
+ };
+ };
+ };
+ };
+ };
+ };
+ mediagoblin = mkOption {
+ description = "Mediagoblin configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Mediagoblin";
+ redis = mkRedisOptions "Mediagoblin";
+ ldap = mkLdapOptions "Mediagoblin" {};
+ };
+ };
+ };
+ nextcloud = mkOption {
+ description = "Nextcloud configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Peertube";
+ redis = mkRedisOptions "Peertube";
+ password_salt = mkOption { type = str; description = "Password salt"; };
+ instance_id = mkOption { type = str; description = "Instance ID"; };
+ secret = mkOption { type = str; description = "App secret"; };
+ };
+ };
+ };
+ peertube = mkOption {
+ description = "Peertube configuration";
+ type = submodule {
+ options = {
+ listenPort = mkOption { type = port; description = "Port to listen to"; };
+ postgresql = mkPsqlOptions "Peertube";
+ redis = mkRedisOptions "Peertube";
+ ldap = mkLdapOptions "Peertube" {};
+ };
+ };
+ };
+ phpldapadmin = mkOption {
+ description = "phpLdapAdmin configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "phpldapadmin" {};
+ };
+ };
+ };
+ rompr = mkOption {
+ description = "Rompr configuration";
+ type = submodule {
+ options = {
+ mpd = mkOption {
+ description = "MPD configuration";
+ type = submodule {
+ options = {
+ host = mkOption { type = str; description = "Host for MPD"; };
+ port = mkOption { type = port; description = "Port to access MPD host"; };
+ };
+ };
+ };
+ };
+ };
+ };
+ roundcubemail = mkOption {
+ description = "Roundcubemail configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "TT-RSS";
+ secret = mkOption { type = str; description = "Secret"; };
+ };
+ };
+ };
+ shaarli = mkOption {
+ description = "Shaarli configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "Shaarli" {};
+ };
+ };
+ };
+ task = mkOption {
+ description = "Taskwarrior configuration";
+ type = submodule {
+ options = {
+ ldap = mkLdapOptions "Taskwarrior" {};
+ taskwarrior-web = mkOption {
+ description = "taskwarrior-web profiles";
+ type = attrsOf (submodule {
+ options = {
+ uid = mkOption {
+ type = listOf str;
+ description = "List of ldap uids having access to this profile";
+ };
+ org = mkOption { type = str; description = "Taskd organisation"; };
+ key = mkOption { type = str; description = "Taskd key"; };
+ date = mkOption { type = str; description = "Preferred date format"; };
+ };
+ });
+ };
+ };
+ };
+ };
+ ttrss = mkOption {
+ description = "TT-RSS configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "TT-RSS";
+ ldap = mkLdapOptions "TT-RSS" {};
+ };
+ };
+ };
+ wallabag = mkOption {
+ description = "Wallabag configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Wallabag";
+ ldap = mkLdapOptions "Wallabag" {
+ admin_filter = mkOption { type = str; description = "Admin users filter"; };
+ };
+ redis = mkRedisOptions "Wallabag";
+ secret = mkOption { type = str; description = "App secret"; };
+ };
+ };
+ };
+ ympd = mkOption {
+ description = "Ympd configuration";
+ type = submodule {
+ options = {
+ listenPort = mkOption { type = port; description = "Port to listen to"; };
+ mpd = mkOption {
+ description = "MPD configuration";
+ type = submodule {
+ options = {
+ password = mkOption { type = str; description = "Password to access MPD host"; };
+ host = mkOption { type = str; description = "Host for MPD"; };
+ port = mkOption { type = port; description = "Port to access MPD host"; };
+ };
+ };
+ };
+ };
+ };
+ };
+ yourls = mkOption {
+ description = "Yourls configuration";
+ type = submodule {
+ options = {
+ mysql = mkMysqlOptions "Yourls";
+ ldap = mkLdapOptions "Yourls" {};
+ cookieKey = mkOption { type = str; description = "Cookie key"; };
+ };
+ };
+ };
+ };
+ };
+ };
+ websites = mkOption {
+ description = "Websites configurations";
+ type = submodule {
+ options = {
+ aten = mkOption {
+ description = "Aten configurations by environment";
+ type =
+ let
+ atenSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ secret = mkOption { type = str; description = "Symfony App secret"; };
+ postgresql = mkPsqlOptions "Aten";
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ production = atenSubmodule;
+ integration = atenSubmodule;
+ };
+ };
+ };
+ chloe = mkOption {
+ description = "Chloe configurations by environment";
+ type =
+ let
+ chloeSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ mysql = mkMysqlOptions "Chloe";
+ ldap = mkLdapOptions "Chloe" {};
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ production = chloeSubmodule;
+ integration = chloeSubmodule;
+ };
+ };
+ };
+ connexionswing = mkOption {
+ description = "Connexionswing configurations by environment";
+ type =
+ let
+ csSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ mysql = mkMysqlOptions "Connexionswing";
+ secret = mkOption { type = str; description = "Symfony App secret"; };
+ email = mkOption { type = str; description = "Symfony email notification"; };
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ production = csSubmodule;
+ integration = csSubmodule;
+ };
+ };
+ };
+ jerome = mkOption {
+ description = "Naturaloutil configuration";
+ type = submodule {
+ options = {
+ mysql = mkMysqlOptions "Naturaloutil";
+ server_admin = mkOption { type = str; description = "Server admin e-mail"; };
+ };
+ };
+ };
+ telioTortay = mkOption {
+ description = "Telio Tortay configuration";
+ type = submodule {
+ options = {
+ server_admin = mkOption { type = str; description = "Server admin e-mail"; };
+ };
+ };
+ };
+ ludivinecassal = mkOption {
+ description = "Ludivinecassal configurations by environment";
+ type =
+ let
+ lcSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ mysql = mkMysqlOptions "LudivineCassal";
+ ldap = mkLdapOptions "LudivineCassal" {};
+ secret = mkOption { type = str; description = "Symfony App secret"; };
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ production = lcSubmodule;
+ integration = lcSubmodule;
+ };
+ };
+ };
+ emilia = mkOption {
+ description = "Emilia configuration";
+ type = submodule {
+ options = {
+ postgresql = mkPsqlOptions "Emilia";
+ };
+ };
+ };
+ florian = mkOption {
+ description = "Florian configuration";
+ type = submodule {
+ options = {
+ server_admin = mkOption { type = str; description = "Server admin e-mail"; };
+ };
+ };
+ };
+ nassime = mkOption {
+ description = "Nassime configuration";
+ type = submodule {
+ options = {
+ server_admin = mkOption { type = str; description = "Server admin e-mail"; };
+ };
+ };
+ };
+ piedsjaloux = mkOption {
+ description = "Piedsjaloux configurations by environment";
+ type =
+ let
+ pjSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ mysql = mkMysqlOptions "Piedsjaloux";
+ secret = mkOption { type = str; description = "Symfony App secret"; };
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ production = pjSubmodule;
+ integration = pjSubmodule;
+ };
+ };
+ };
+ tellesflorian = mkOption {
+ description = "Tellesflorian configurations by environment";
+ type =
+ let
+ tfSubmodule = mkOption {
+ description = "environment configuration";
+ type = submodule {
+ options = {
+ environment = mkOption { type = str; description = "Symfony environment"; };
+ mysql = mkMysqlOptions "Tellesflorian";
+ secret = mkOption { type = str; description = "Symfony App secret"; };
+ invite_passwords = mkOption { type = str; description = "Password basic auth"; };
+ };
+ };
+ };
+ in
+ submodule {
+ options = {
+ integration = tfSubmodule;
+ };
+ };
+ };
+ };
+ };
+ };
+
+ privateFiles = mkOption {
+ type = path;
+ description = ''
+ Path to secret files to make available during build
+ '';
+ };
+ };
+ options.hostEnv = {
+ FQDN = mkOption {
+ type = string;
+ description = ''
+ FQDN of the current host.
+ '';
+ };
+ };
+}
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
package = pkgs.pure-ftpd.override { ldapFtpId = "immaeFtp"; };
in
user = "ftp";
group = "ftp";
text = ''
- LDAPServer ${myconfig.env.ftp.ldap.host}
+ LDAPServer ${config.myEnv.ftp.ldap.host}
LDAPPort 389
LDAPUseTLS True
- LDAPBaseDN ${myconfig.env.ftp.ldap.base}
- LDAPBindDN ${myconfig.env.ftp.ldap.dn}
- LDAPBindPW ${myconfig.env.ftp.ldap.password}
+ LDAPBaseDN ${config.myEnv.ftp.ldap.base}
+ LDAPBindDN ${config.myEnv.ftp.ldap.dn}
+ LDAPBindPW ${config.myEnv.ftp.ldap.password}
LDAPDefaultUID 500
LDAPForceDefaultUID False
LDAPDefaultGID 100
LDAPForceDefaultGID False
- LDAPFilter ${myconfig.env.ftp.ldap.filter}
+ LDAPFilter ${config.myEnv.ftp.ldap.filter}
LDAPAuthMethod BIND
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.gitolite;
in {
name = "gitolite_ldap_groups.sh";
file = ./gitolite_ldap_groups.sh;
vars = {
- LDAP_PASS = myconfig.env.tools.gitolite.ldap.password;
+ LDAP_PASS = config.myEnv.tools.gitolite.ldap.password;
};
paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
imports = [
./milters.nix
extraDomains = let
zonesWithMx = builtins.filter (zone:
lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
- ) myconfig.env.dns.masterZones;
+ ) config.myEnv.dns.masterZones;
mxs = map (zone: "mx-1.${zone.name}") zonesWithMx;
in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
sieve_bin = pkgs.runCommand "sieve_bin" {
buildInputs = [ pkgs.makeWrapper ];
group = config.services.dovecot2.group;
permissions = "0400";
text = ''
- hosts = ${myconfig.env.mail.dovecot.ldap.host}
+ hosts = ${config.myEnv.mail.dovecot.ldap.host}
tls = yes
- dn = ${myconfig.env.mail.dovecot.ldap.dn}
- dnpass = ${myconfig.env.mail.dovecot.ldap.password}
+ dn = ${config.myEnv.mail.dovecot.ldap.dn}
+ dnpass = ${config.myEnv.mail.dovecot.ldap.password}
auth_bind = yes
ldap_version = 3
- base = ${myconfig.env.mail.dovecot.ldap.base}
+ base = ${config.myEnv.mail.dovecot.ldap.base}
scope = subtree
- pass_filter = ${myconfig.env.mail.dovecot.ldap.filter}
- pass_attrs = ${myconfig.env.mail.dovecot.ldap.pass_attrs}
+ pass_filter = ${config.myEnv.mail.dovecot.ldap.filter}
+ pass_attrs = ${config.myEnv.mail.dovecot.ldap.pass_attrs}
- user_attrs = ${myconfig.env.mail.dovecot.ldap.user_attrs}
- user_filter = ${myconfig.env.mail.dovecot.ldap.filter}
- iterate_attrs = ${myconfig.env.mail.dovecot.ldap.iterate_attrs}
- iterate_filter = ${myconfig.env.mail.dovecot.ldap.iterate_filter}
+ user_attrs = ${config.myEnv.mail.dovecot.ldap.user_attrs}
+ user_filter = ${config.myEnv.mail.dovecot.ldap.filter}
+ iterate_attrs = ${config.myEnv.mail.dovecot.ldap.iterate_attrs}
+ iterate_filter = ${config.myEnv.mail.dovecot.ldap.iterate_filter}
'';
}
];
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
options.myServices.mail.milters.sockets = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
user = config.services.opendkim.user;
group = config.services.opendkim.group;
permissions = "0400";
- text = myconfig.env.mail.dkim.eldiron.private;
+ text = config.myEnv.mail.dkim.eldiron.private;
}
{
dest = "opendkim/eldiron.txt";
group = config.services.opendkim.group;
permissions = "0444";
text = ''
- eldiron._domainkey IN TXT ${myconfig.env.mail.dkim.eldiron.public}'';
+ eldiron._domainkey IN TXT ${config.myEnv.mail.dkim.eldiron.public}'';
}
{
dest = "opendmarc/ignore.hosts";
user = config.services.opendmarc.user;
group = config.services.opendmarc.group;
permissions = "0400";
- text = myconfig.env.mail.dmarc.ignore_hosts;
+ text = config.myEnv.mail.dmarc.ignore_hosts;
}
];
users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
(e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
(zone.withEmail or [])
)
- myconfig.env.dns.masterZones
+ config.myEnv.dns.masterZones
));
keyPath = "${config.secrets.location}/opendkim";
selector = "eldiron";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
config = lib.mkIf config.myServices.mail.enable {
services.duplyBackup.profiles.mail.excludeFile = ''
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
FROM forwardings_merge
WHERE
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
result_format = /%d/%u
query = SELECT DISTINCT '%s'
FROM mailboxes
text = ''
# We need to specify that option to trigger ssl connection
tls_ciphers = TLSv1.2
- user = ${myconfig.env.mail.postfix.mysql.user}
- password = ${myconfig.env.mail.postfix.mysql.password}
- hosts = unix:${myconfig.env.mail.postfix.mysql.socket}
- dbname = ${myconfig.env.mail.postfix.mysql.database}
+ user = ${config.myEnv.mail.postfix.mysql.user}
+ password = ${config.myEnv.mail.postfix.mysql.password}
+ hosts = unix:${config.myEnv.mail.postfix.mysql.socket}
+ dbname = ${config.myEnv.mail.postfix.mysql.database}
query = SELECT DISTINCT destination
FROM forwardings_merge
WHERE
'';
scripts = lib.attrsets.mapAttrs (n: v:
toScript n (pkgs.callPackage (builtins.fetchGit { url = v.src.url; ref = "master"; rev = v.src.rev; }) { scriptEnv = v.env; })
- ) myconfig.env.mail.scripts;
+ ) config.myEnv.mail.scripts;
in builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: ''${n}: "|${v}"'') scripts);
mapFiles = let
recipient_maps = let
pairs = n: v: lib.imap1 (i: m: pair n i m) v.recipient_maps;
in lib.attrsets.filterAttrs (k: v: v != null) (
lib.attrsets.listToAttrs (lib.flatten (
- lib.attrsets.mapAttrsToList pairs myconfig.env.mail.postfix.backup_domains
+ lib.attrsets.mapAttrsToList pairs config.myEnv.mail.postfix.backup_domains
))
);
relay_restrictions = lib.attrsets.filterAttrs (k: v: v != null) (
then pkgs.writeText "recipient_access_${n}" v.relay_restrictions
else null
)
- ) myconfig.env.mail.postfix.backup_domains
+ ) config.myEnv.mail.postfix.backup_domains
);
virtual_map = {
virtual = pkgs.writeText "postfix-virtual" (
n: v: ''
script_${n}@mail.immae.eu ${n}@localhost, scripts@mail.immae.eu
''
- ) myconfig.env.mail.scripts
+ ) config.myEnv.mail.scripts
)
);
};
### Virtual mailboxes config
virtual_alias_maps = "hash:/etc/postfix/virtual mysql:${config.secrets.fullPaths."postfix/mysql_alias_maps"}";
- virtual_mailbox_domains = myconfig.env.mail.postfix.additional_mailbox_domains
+ virtual_mailbox_domains = config.myEnv.mail.postfix.additional_mailbox_domains
++ lib.remove "localhost.immae.eu" (lib.remove null (lib.flatten (map
(zone: map
(e: if e.receive
)
(zone.withEmail or [])
)
- myconfig.env.dns.masterZones
+ config.myEnv.dns.masterZones
)));
virtual_mailbox_maps = "mysql:${config.secrets.fullPaths."postfix/mysql_mailbox_maps"}";
dovecot_destination_recipient_limit = "1";
virtual_transport = "dovecot";
### Relay domains
- relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) myconfig.env.mail.postfix.backup_domains);
+ relay_domains = lib.flatten (lib.attrsets.mapAttrsToList (n: v: v.domains or []) config.myEnv.mail.postfix.backup_domains);
relay_recipient_maps = lib.flatten (lib.attrsets.mapAttrsToList (n: v:
lib.imap1 (i: m: "${m.type}:/etc/postfix/relay_${n}_${toString i}") v.recipient_maps
- ) myconfig.env.mail.postfix.backup_domains);
+ ) config.myEnv.mail.postfix.backup_domains);
smtpd_relay_restrictions = [
"permit_mynetworks"
"permit_sasl_authenticated"
if lib.attrsets.hasAttr "relay_restrictions" v
then [ "check_recipient_access hash:/etc/postfix/recipient_access_${n}" ]
else []
- ) myconfig.env.mail.postfix.backup_domains);
+ ) config.myEnv.mail.postfix.backup_domains);
### Additional smtpd configuration
smtpd_tls_received_header = "yes";
smtp_tls_loglevel = "1";
### Force ip bind for smtp
- smtp_bind_address = myconfig.env.servers.eldiron.ips.main.ip4;
- smtp_bind_address6 = builtins.head myconfig.env.servers.eldiron.ips.main.ip6;
+ smtp_bind_address = config.myEnv.servers.eldiron.ips.main.ip4;
+ smtp_bind_address6 = builtins.head config.myEnv.servers.eldiron.ips.main.ip6;
# #Unneeded if postfix can only send e-mail from "self" domains
# #smtp_sasl_auth_enable = "yes";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
options.myServices.mail.rspamd.sockets = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
};
locals = {
"redis.conf".text = ''
- servers = "${myconfig.env.mail.rspamd.redis.socket}";
- db = "${myconfig.env.mail.rspamd.redis.db}";
+ servers = "${config.myEnv.mail.rspamd.redis.socket}";
+ db = "${config.myEnv.mail.rspamd.redis.db}";
'';
"classifier-bayes.conf".text = ''
users_enabled = true;
backend = "redis";
- servers = "${myconfig.env.mail.rspamd.redis.socket}";
- database = "${myconfig.env.mail.rspamd.redis.db}";
+ servers = "${config.myEnv.mail.rspamd.redis.socket}";
+ database = "${config.myEnv.mail.rspamd.redis.db}";
autolearn = true;
cache {
backend = "redis";
workers = {
controller = {
extraConfig = ''
- enable_password = "${myconfig.env.mail.rspamd.write_password_hashed}";
- password = "${myconfig.env.mail.rspamd.read_password_hashed}";
+ enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}";
+ password = "${config.myEnv.mail.rspamd.read_password_hashed}";
'';
bindSockets = [ {
socket = config.myServices.mail.rspamd.sockets.worker-controller;
-{ config, myconfig, pkgs, lib, name, hostFQDN, ... }:
+{ config, pkgs, lib, name, ... }:
let
myplugins = pkgs.runCommand "buildplugins" {
buildInputs = [ pkgs.makeWrapper pkgs.perl ];
};
};
commonObjects = pkgs.callPackage ./objects_common.nix ({
- inherit hostFQDN;
+ hostFQDN = config.hostEnv.FQDN;
sudo = "/run/wrappers/bin/sudo";
} // builtins.getAttr name commonConfig);
hostObjects =
enable = true;
mode = "0644";
user = "root";
- text = "MAILADDR ${myconfig.env.monitoring.email}";
+ text = "MAILADDR ${config.myEnv.monitoring.email}";
};
# needed since extraResource is not in the closure
use_syslog=1
log_initial_states=1
date_format=iso8601
- admin_email=${myconfig.env.monitoring.email}
+ admin_email=${config.myEnv.monitoring.email}
obsess_over_services=1
ocsp_command=notify-master
'';
extraResource = ''
$USER2$=${myplugins}
- $USER200$=${myconfig.env.monitoring.status_url}
- $USER201$=${myconfig.env.monitoring.status_token}
+ $USER200$=${config.myEnv.monitoring.status_url}
+ $USER201$=${config.myEnv.monitoring.status_token}
'';
objectDefs = toObjects commonObjects + toObjects hostObjects;
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
options.myServices.mpd.enable = lib.mkEnableOption "enable MPD";
config = lib.mkIf config.myServices.mpd.enable {
{
dest = "mpd";
permissions = "0400";
- text = myconfig.env.mpd.password;
+ text = config.myEnv.mpd.password;
}
{
dest = "mpd-config";
user = "mpd";
group = "mpd";
text = ''
- password "${myconfig.env.mpd.password}@read,add,control,admin"
+ password "${config.myEnv.mpd.password}@read,add,control,admin"
'';
}
];
services.mpd = {
enable = true;
network.listenAddress = "any";
- musicDirectory = myconfig.env.mpd.folder;
+ musicDirectory = config.myEnv.mpd.folder;
extraConfig = ''
include "/var/secrets/mpd-config"
audio_output {
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
{
options = {
myServices.pub.enable = lib.mkOption {
createHome = true;
description = "Restricted shell user";
home = "/var/lib/pub";
- uid = myconfig.env.users.pub.uid;
+ uid = config.myEnv.users.pub.uid;
useDefaultShell = true;
packages = [
restrict
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.ssh;
in
user = "nobody";
group = "nogroup";
permissions = "0400";
- text = myconfig.env.sshd.ldap.password;
+ text = config.myEnv.sshd.ldap.password;
}];
system.activationScripts.sshd = {
deps = [ "secrets" ];
-{ pkgs, privateFiles, lib, ... }:
+{ pkgs, lib, ... }:
{
config = {
services.duplyBackup.profiles.system = {
_module.args = {
pkgsNext = import <nixpkgsNext> {};
pkgsPrevious = import <nixpkgsPrevious> {};
- myconfig = {
- inherit privateFiles;
- env = import "${privateFiles}/environment.nix";
- };
};
services.journald.extraConfig = ''
{ privateFiles }:
-{ config, pkgs, myconfig, resources, ... }:
+{ config, pkgs, resources, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
- _module.args.privateFiles = privateFiles;
- _module.args.hostFQDN = "backup-2.v.immae.eu";
+ myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ hostEnv.FQDN = "backup-2.v.immae.eu";
+
imports = builtins.attrValues (import ../..);
deployment = {
targetEnv = "hetznerCloud";
hetznerCloud = {
- authToken = myconfig.env.hetznerCloud.authToken;
+ authToken = config.myEnv.hetznerCloud.authToken;
datacenter = "hel1-dc2";
location ="hel1";
serverType = "cx11";
firewall.enable = true;
interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
(n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.backup-2.ips);
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.myEnv.servers.backup-2.ips);
interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
- myconfig.env.servers.backup-2.ips);
+ config.myEnv.servers.backup-2.ips);
defaultMailServer = {
directDelivery = true;
services.rsyncBackup = {
mountpoint = "/backup2";
- mailto = myconfig.env.rsync_backup.mailto;
- profiles = myconfig.env.rsync_backup.profiles;
- ssh_key_public = myconfig.env.rsync_backup.ssh_key.public;
- ssh_key_private = myconfig.env.rsync_backup.ssh_key.private;
+ mailto = config.myEnv.rsync_backup.mailto;
+ profiles = config.myEnv.rsync_backup.profiles;
+ ssh_key_public = config.myEnv.rsync_backup.ssh_key.public;
+ ssh_key_private = config.myEnv.rsync_backup.ssh_key.private;
};
myServices.monitoring.enable = true;
hosts = {
eldiron = {
slot = "backup_2";
- connection = "postgresql://backup-2:${myconfig.env.ldap.backup-2.password}@eldiron.immae.eu";
+ connection = "postgresql://backup-2:${config.myEnv.servers.backup-2.ldap.password}@eldiron.immae.eu";
};
};
};
eldiron = {
serverId = 2;
# mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4
- host = myconfig.env.servers.eldiron.ips.main.ip4;
+ host = config.myEnv.servers.eldiron.ips.main.ip4;
port = "3306";
user = "backup-2";
- password = myconfig.env.ldap.backup-2.password;
+ password = config.myEnv.servers.backup-2.ldap.password;
dumpUser = "root";
- dumpPassword = myconfig.env.databases.mysql.systemUsers.root;
+ dumpPassword = config.myEnv.databases.mysql.systemUsers.root;
};
};
};
base = "/backup2";
hosts = {
eldiron = {
- url = "ldaps://${myconfig.env.ldap.host}:636";
- dn = myconfig.env.ldap.replication_dn;
- password = myconfig.env.ldap.replication_pw;
- base = myconfig.env.ldap.base;
+ url = "ldaps://${config.myEnv.ldap.host}:636";
+ dn = config.myEnv.ldap.replication_dn;
+ password = config.myEnv.ldap.replication_pw;
+ base = config.myEnv.ldap.base;
};
};
};
{ privateFiles }:
-{ config, pkgs, myconfig, ... }:
+{ config, pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_latest;
- _module.args.privateFiles = privateFiles;
- _module.args.hostFQDN = "eldiron.immae.eu";
+ myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ hostEnv.FQDN = "eldiron.immae.eu";
networking = {
firewall.enable = true;
# 176.9.151.89 declared in nixops -> infra / tools
interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
(n: ips: { address = ips.ip4; prefixLength = 32; })
- (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips);
+ (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.myEnv.servers.eldiron.ips);
interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
- myconfig.env.servers.eldiron.ips);
+ config.myEnv.servers.eldiron.ips);
};
imports = builtins.attrValues (import ../..);
deployment = {
targetEnv = "hetzner";
hetzner = {
- robotUser = myconfig.env.hetzner.user;
- robotPass = myconfig.env.hetzner.pass;
- mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4;
+ robotUser = config.myEnv.hetzner.user;
+ robotPass = config.myEnv.hetzner.pass;
+ mainIPv4 = config.myEnv.servers.eldiron.ips.main.ip4;
partitions = ''
clearpart --all --initlabel --drives=sda,sdb
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.tasks;
server_vardir = config.services.taskserver.dataDir;
fqdn = "task.immae.eu";
user = config.services.taskserver.user;
- env = myconfig.env.tools.task;
+ env = config.myEnv.tools.task;
group = config.services.taskserver.group;
taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
mkdir -p $out/bin
SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
- SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
'';
}];
services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.aten.integration;
+ secrets = config.myEnv.websites.aten.integration;
app = pkgs.webapps.aten.override { environment = secrets.environment; };
cfg = config.myServices.websites.aten.integration;
pcfg = config.services.phpApplication;
user = config.services.httpd.Inte.user;
group = config.services.httpd.Inte.group;
permissions = "0400";
- text = ''
+ text = let
+ # cf:
+ # https://secure.php.net/manual/fr/function.parse-url.php
+ # vendor/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php#parseDatabaseUrlQuery
+ psql_url = with secrets.postgresql; "pdo-pgsql://${user}:${password}@invalid:${port}/${database}?host=${socket}";
+ in ''
SetEnv APP_ENV "${app.environment}"
SetEnv APP_SECRET "${secrets.secret}"
- SetEnv DATABASE_URL "${secrets.psql_url}"
+ SetEnv DATABASE_URL "${psql_url}"
'';
}];
services.websites.env.integration.vhostConfs.aten_dev = {
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.aten.production;
+ secrets = config.myEnv.websites.aten.production;
app = pkgs.webapps.aten.override { environment = secrets.environment; };
cfg = config.myServices.websites.aten.production;
pcfg = config.services.phpApplication;
user = config.services.httpd.Prod.user;
group = config.services.httpd.Prod.group;
permissions = "0400";
- text = ''
+ text = let
+ # cf:
+ # https://secure.php.net/manual/fr/function.parse-url.php
+ # vendor/doctrine/dbal/lib/Doctrine/DBAL/DriverManager.php#parseDatabaseUrlQuery
+ psql_url = with secrets.postgresql; "pdo-pgsql://${user}:${password}@invalid:${port}/${database}?host=${socket}";
+ in ''
SetEnv APP_ENV "${app.environment}"
SetEnv APP_SECRET "${secrets.secret}"
- SetEnv DATABASE_URL "${secrets.psql_url}"
+ SetEnv DATABASE_URL "${psql_url}"
'';
}];
services.websites.env.production.vhostConfs.aten_prod = {
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.capitaines.production;
- env = myconfig.env.websites.capitaines;
+ env = config.myEnv.websites.capitaines;
webappName = "capitaines_mastodon";
root = "/run/current-system/webapps/${webappName}";
siteDir = ./mastodon_static;
SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu"
SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
- SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}"
+ SetEnv SPIP_LDAP_SEARCH "${config.ldap.filter}"
SetEnv SPIP_MYSQL_HOST "${config.mysql.host}"
SetEnv SPIP_MYSQL_PORT "${config.mysql.port}"
- SetEnv SPIP_MYSQL_DB "${config.mysql.name}"
+ SetEnv SPIP_MYSQL_DB "${config.mysql.database}"
SetEnv SPIP_MYSQL_USER "${config.mysql.user}"
SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
'';
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
chloe = pkgs.callPackage ./builder.nix {
inherit (pkgs.webapps) chloe;
- config = myconfig.env.websites.chloe.integration;
+ config = config.myEnv.websites.chloe.integration;
apacheUser = config.services.httpd.Inte.user;
apacheGroup = config.services.httpd.Inte.group;
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
chloe = pkgs.callPackage ./builder.nix {
inherit (pkgs.webapps) chloe;
- config = myconfig.env.websites.chloe.production;
+ config = config.myEnv.websites.chloe.production;
apacheUser = config.services.httpd.Prod.user;
apacheGroup = config.services.httpd.Prod.group;
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.connexionswing.integration;
+ secrets = config.myEnv.websites.connexionswing.integration;
app = pkgs.webapps.connexionswing.override { environment = secrets.environment; };
cfg = config.myServices.websites.connexionswing.integration;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.connexionswing.production;
+ secrets = config.myEnv.websites.connexionswing.production;
app = pkgs.webapps.connexionswing.override { environment = secrets.environment; };
cfg = config.myServices.websites.connexionswing.production;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
www_root = "/run/current-system/webapps/_www";
theme_root = "/run/current-system/webapps/_theme";
<IfModule authnz_ldap_module>
AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+ AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}"
AuthType Basic
AuthName "Authentification requise (Acces LDAP)"
AuthBasicProvider ldap
adminAddr = "httpd@immae.eu";
httpdName = "Prod";
ips =
- let ips = myconfig.env.servers.eldiron.ips.production;
+ let ips = config.myEnv.servers.eldiron.ips.production;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig;
adminAddr = "httpd@immae.eu";
httpdName = "Inte";
ips =
- let ips = myconfig.env.servers.eldiron.ips.integration;
+ let ips = config.myEnv.servers.eldiron.ips.integration;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig;
adminAddr = "httpd@immae.eu";
httpdName = "Tools";
ips =
- let ips = myconfig.env.servers.eldiron.ips.main;
+ let ips = config.myEnv.servers.eldiron.ips.main;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig ++
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.denisejerome.production;
varDir = "/var/lib/ftp/denisejerome";
- env = myconfig.env.websites.denisejerome;
+ env = config.myEnv.websites.denisejerome;
in {
options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.emilia.production;
- env = myconfig.env.websites.emilia;
+ env = config.myEnv.websites.emilia;
varDir = "/var/lib/moodle";
siteDir = ./moodle;
webappName = "emilia_moodle";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix {};
- secrets = myconfig.env.websites.tellesflorian.integration;
+ secrets = config.myEnv.websites.tellesflorian.integration;
app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; };
cfg = config.myServices.websites.florian.app;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
mailer_transport: smtp
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix {};
cfg = config.myServices.websites.florian.integration;
varDir = "/var/lib/ftp/florian";
- env = myconfig.env.websites.florian;
+ env = config.myEnv.websites.florian;
in {
options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix {};
cfg = config.myServices.websites.florian.production;
varDir = "/var/lib/ftp/florian";
- env = myconfig.env.websites.florian;
+ env = config.myEnv.websites.florian;
in {
options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.immae.production;
varDir = "/var/lib/buildbot/outputs/immaeEu";
coursDir = "/var/lib/buildbot/outputs/cours";
rechercheDir = "/var/lib/buildbot/outputs/recherche";
- env = myconfig.env.websites.immae;
+ env = config.myEnv.websites.immae;
in {
options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.immae.release;
varDir = "/var/lib/ftp/release.immae.eu";
- env = myconfig.env.websites.release;
+ env = config.myEnv.websites.release;
in {
options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.immae.temp;
varDir = "/var/lib/ftp/temp.immae.eu";
- env = myconfig.env.websites.temp;
+ env = config.myEnv.websites.temp;
in {
options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.ludivinecassal.integration;
+ secrets = config.myEnv.websites.ludivinecassal.integration;
app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; };
cfg = config.myServices.websites.ludivinecassal.integration;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
ldap_base_dn: 'dc=immae,dc=eu'
ldap_search_dn: '${secrets.ldap.dn}'
ldap_search_password: '${secrets.ldap.password}'
- ldap_search_filter: '${secrets.ldap.search}'
+ ldap_search_filter: '${secrets.ldap.filter}'
leapt_im:
binary_path: ${pkgs.imagemagick}/bin
assetic:
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.ludivinecassal.production;
+ secrets = config.myEnv.websites.ludivinecassal.production;
app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; };
pcfg = config.services.phpApplication;
cfg = config.myServices.websites.ludivinecassal.production;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
ldap_base_dn: 'dc=immae,dc=eu'
ldap_search_dn: '${secrets.ldap.dn}'
ldap_search_password: '${secrets.ldap.password}'
- ldap_search_filter: '${secrets.ldap.search}'
+ ldap_search_filter: '${secrets.ldap.filter}'
leapt_im:
binary_path: ${pkgs.imagemagick}/bin
assetic:
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.nassime.production;
varDir = "/var/lib/ftp/nassime";
- env = myconfig.env.websites.nassime;
+ env = config.myEnv.websites.nassime;
in {
options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix {};
cfg = config.myServices.websites.naturaloutil.production;
varDir = "/var/lib/ftp/jerome";
- env = myconfig.env.websites.jerome;
+ env = config.myEnv.websites.jerome;
in {
options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website";
<?php
$mysql_user = '${env.mysql.user}' ;
$mysql_server = '${env.mysql.host}' ;
- $mysql_base = '${env.mysql.name}' ;
+ $mysql_base = '${env.mysql.database}' ;
$mysql_password = '${env.mysql.password}' ;
//connect to db
$db = mysqli_init();
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.papa.surveillance;
varDir = "/var/lib/ftp/papa";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.piedsjaloux.integration;
+ secrets = config.myEnv.websites.piedsjaloux.integration;
app = pkgs.webapps.piedsjaloux.override { environment = secrets.environment; };
cfg = config.myServices.websites.piedsjaloux.integration;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- secrets = myconfig.env.websites.piedsjaloux.production;
+ secrets = config.myEnv.websites.piedsjaloux.production;
app = pkgs.webapps.piedsjaloux.override { environment = secrets.environment; };
cfg = config.myServices.websites.piedsjaloux.production;
pcfg = config.services.phpApplication;
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
- database_name: ${secrets.mysql.name}
+ database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix {};
cfg = config.myServices.websites.telioTortay.production;
varDir = "/var/lib/ftp/telio_tortay";
- env = myconfig.env.websites.telioTortay;
+ env = config.myEnv.websites.telioTortay;
in {
options.myServices.websites.telioTortay.production.enable = lib.mkEnableOption "enable Telio Tortay's website";
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps);
- env = myconfig.env.tools.nextcloud;
+ env = config.myEnv.tools.nextcloud;
varDir = "/var/lib/nextcloud";
webappName = "tools_nextcloud";
apacheRoot = "/run/current-system/webapps/${webappName}";
array (
'host' => '${env.redis.socket}',
'port' => 0,
- 'dbindex' => ${env.redis.db_index},
+ 'dbindex' => ${env.redis.db},
),
'overwrite.cli.url' => 'https://cloud.immae.eu',
'ldapIgnoreNamingRules' => false,
$c->authenticate_hook['optional'] = false;
$c->authenticate_hook['call'] = 'LDAP_check';
$c->authenticate_hook['config'] = array(
- 'host' => 'ldap.immae.eu',
+ 'host' => '${env.ldap.host}',
'port' => '389',
'startTLS' => 'yes',
- 'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
+ 'bindDN'=> '${env.ldap.dn}',
'passDN'=> '${env.ldap.password}',
'protocolVersion' => '3',
- 'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
- 'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
- 'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
- 'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
+ 'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
+ 'filterUsers' => '${env.ldap.filter}',
+ 'baseDNGroups' => 'ou=groups,${env.ldap.base}',
+ 'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
'mapping_field' => array(
"username" => "uid",
"fullname" => "cn",
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
infcloud = rec {
webappName = "tools_infcloud";
'';
};
davical = pkgs.callPackage ./davical.nix {
- env = myconfig.env.tools.davical;
+ env = config.myEnv.tools.davical;
inherit (pkgs.webapps) davical awl;
};
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- env = myconfig.env.tools.diaspora;
+ env = config.myEnv.tools.diaspora;
root = "/run/current-system/webapps/tools_diaspora";
cfg = config.myServices.websites.tools.diaspora;
dcfg = config.services.diaspora;
environment:
url: "https://diaspora.immae.eu/"
certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
- redis: '${env.redis_url}'
+ redis: 'redis://${env.redis.host}:${env.redis.port}/${env.redis.db}'
sidekiq:
s3:
assets:
inbound:
ldap:
enable: true
- host: ldap.immae.eu
+ host: ${env.ldap.host}
port: 636
only_ldap: true
mail_attribute: mail
skip_email_confirmation: true
use_bind_dn: true
- bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
+ bind_dn: "${env.ldap.dn}"
bind_pw: "${env.ldap.password}"
- search_base: "dc=immae,dc=eu"
- search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
+ search_base: "${env.ldap.base}"
+ search_filter: "${env.ldap.filter}"
production:
environment:
development:
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- env = myconfig.env.tools.etherpad-lite;
+ env = config.myEnv.tools.etherpad-lite;
cfg = config.myServices.websites.tools.etherpad-lite;
# Make sure we’re not rebuilding whole libreoffice just because of a
# dependency
"ldapauth": {
"url": "ldaps://${env.ldap.host}",
"accountBase": "${env.ldap.base}",
- "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
+ "accountPattern": "${env.ldap.filter}",
"displayNameAttribute": "cn",
- "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
+ "searchDN": "${env.ldap.dn}",
"searchPWD": "${env.ldap.password}",
"groupSearchBase": "${env.ldap.base}",
"groupAttribute": "member",
"groupAttributeIsDN": true,
"searchScope": "sub",
- "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
+ "groupSearch": "${env.ldap.group_filter}",
"anonymousReadonly": false
}
},
RewriteEngine On
- RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
+ RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
RewriteCond %{QUERY_STRING} "!noredirect"
RewriteCond %{REQUEST_URI} "^(.*)$"
RewriteCond ''${redirects:$1|Unknown} "!Unknown"
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
mantisbt = pkgs.callPackage ./mantisbt.nix {
inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins;
- env = myconfig.env.tools.mantisbt;
+ env = config.myEnv.tools.mantisbt;
};
gitweb = pkgs.callPackage ./gitweb.nix {
gitoliteDir = config.myServices.gitolite.gitoliteDir;
# --- LDAP ---
$g_login_method = LDAP;
$g_ldap_protocol_version = 3;
- $g_ldap_server = 'ldaps://ldap.immae.eu:636';
- $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
- $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+ $g_ldap_server = 'ldaps://${env.ldap.host}:636';
+ $g_ldap_root_dn = 'ou=users,${env.ldap.base}';
+ $g_ldap_bind_dn = '${env.ldap.dn}';
$g_ldap_bind_passwd = '${env.ldap.password}';
$g_use_ldap_email = ON;
$g_use_ldap_realname = ON;
$g_ldap_uid_field = 'uid';
$g_ldap_realname_field = 'cn';
- $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+ $g_ldap_organization = '${env.ldap.filter}';
'';
}];
webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins);
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
roundcubemail = pkgs.callPackage ./roundcubemail.nix {
inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
- env = myconfig.env.tools.roundcubemail;
+ env = config.myEnv.tools.roundcubemail;
};
rainloop = pkgs.callPackage ./rainloop.nix {};
cfg = config.myServices.websites.tools.email;
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
domains = (lib.remove null (lib.flatten (map
(zone: map
)
(zone.withEmail or [])
)
- myconfig.env.dns.masterZones
+ config.myEnv.dns.masterZones
)));
# FIXME: increase the id number in modules/private/dns.nix when this
# file change (date -u +'%Y%m%d%H%M%S'Z)
user = apache.user;
group = apache.group;
permissions = "0400";
- text = ''
+ text =
+ let
+ psql_url = with env.postgresql; "pgsql://${user}:${password}@unix(${socket}:${port})/${database}";
+ in ''
<?php
- $config['db_dsnw'] = '${env.psql_url}';
+ $config['db_dsnw'] = '${psql_url}';
$config['default_host'] = 'ssl://imap.immae.eu';
$config['username_domain'] = array(
"imap.immae.eu" => "mail.immae.eu"
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- env = myconfig.env.tools.mastodon;
+ env = config.myEnv.tools.mastodon;
root = "/run/current-system/webapps/tools_mastodon";
cfg = config.myServices.websites.tools.mastodon;
mcfg = config.services.mastodon;
# LDAP authentication (optional)
LDAP_ENABLED=true
- LDAP_HOST=ldap.immae.eu
+ LDAP_HOST=${env.ldap.host}
LDAP_PORT=636
LDAP_METHOD=simple_tls
- LDAP_BASE="dc=immae,dc=eu"
- LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+ LDAP_BASE="${env.ldap.base}"
+ LDAP_BIND_DN="${env.ldap.dn}"
LDAP_PASSWORD="${env.ldap.password}"
LDAP_UID="uid"
- LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+ LDAP_SEARCH_FILTER="${env.ldap.filter}"
'';
}];
services.mastodon = {
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- env = myconfig.env.tools.mediagoblin;
+ env = config.myEnv.tools.mediagoblin;
cfg = config.myServices.websites.tools.mediagoblin;
mcfg = config.services.mediagoblin;
in {
user = "mediagoblin";
group = "mediagoblin";
permissions = "0400";
- text = ''
+ text =
+ let
+ psql_url = with env.postgresql; "postgresql://${user}:${password}@:${port}/${database}?host=${socket}";
+ redis_url = with env.redis; "redis+socket://${socket}?virtual_host=${db}";
+ in
+ ''
[DEFAULT]
data_basedir = "${mcfg.dataDir}"
email_sender_address = "mediagoblin@tools.immae.eu"
#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
- sql_engine = ${env.psql_url}
+ sql_engine = ${psql_url}
email_debug_mode = false
allow_registration = false
base_url = /mgoblin_media/
[celery]
- CELERY_RESULT_DBURI = ${env.redis_url}
- BROKER_URL = ${env.redis_url}
+ CELERY_RESULT_DBURI = ${redis_url}
+ BROKER_URL = ${redis_url}
CELERYD_CONCURRENCY = 1
[plugins]
[[mediagoblin.plugins.geolocation]]
[[mediagoblin.plugins.ldap]]
[[[immae.eu]]]
- LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
- LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
- LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
+ LDAP_SERVER_URI = 'ldaps://${env.ldap.host}:636'
+ LDAP_SEARCH_BASE = '${env.ldap.base}'
+ LDAP_BIND_DN = '${env.ldap.dn}'
LDAP_BIND_PW = '${env.ldap.password}'
- LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
+ LDAP_SEARCH_FILTER = '${env.ldap.filter}'
EMAIL_SEARCH_FIELD = 'mail'
[[mediagoblin.plugins.basicsearch]]
[[mediagoblin.plugins.piwigo]]
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
- env = myconfig.env.tools.peertube;
+ env = config.myEnv.tools.peertube;
cfg = config.myServices.websites.tools.peertube;
pcfg = config.services.peertube;
in {
text = ''
listen:
hostname: 'localhost'
- port: ${env.listenPort}
+ port: ${toString config.myEnv.ports.peertube}
webserver:
https: true
hostname: 'peertube.immae.eu'
redis:
socket: '${env.redis.socket}'
auth: null
- db: ${env.redis.db_index}
+ db: ${env.redis.db}
ldap:
enable: true
ldap_only: false
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
- RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
+ RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
- RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
+ RewriteRule /(.*) ws://localhost:${toString env.listenPort}/$1 [P,NE,QSA,L]
- ProxyPass / http://localhost:${env.listenPort}/
- ProxyPassReverse / http://localhost:${env.listenPort}/
+ ProxyPass / http://localhost:${toString env.listenPort}/
+ ProxyPassReverse / http://localhost:${toString env.listenPort}/
ProxyPreserveHost On
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ./adminer.nix {
inherit (pkgs.webapps) adminer;
};
ympd = pkgs.callPackage ./ympd.nix {
- env = myconfig.env.tools.ympd;
+ env = config.myEnv.tools.ympd;
};
ttrss = pkgs.callPackage ./ttrss.nix {
inherit (pkgs.webapps) ttrss ttrss-plugins;
- env = myconfig.env.tools.ttrss;
+ env = config.myEnv.tools.ttrss;
};
kanboard = pkgs.callPackage ./kanboard.nix {
- env = myconfig.env.tools.kanboard;
+ env = config.myEnv.tools.kanboard;
};
wallabag = pkgs.callPackage ./wallabag.nix {
inherit (pkgs.webapps) wallabag;
- env = myconfig.env.tools.wallabag;
+ env = config.myEnv.tools.wallabag;
};
yourls = pkgs.callPackage ./yourls.nix {
inherit (pkgs.webapps) yourls yourls-plugins;
- env = myconfig.env.tools.yourls;
+ env = config.myEnv.tools.yourls;
};
rompr = pkgs.callPackage ./rompr.nix {
inherit (pkgs.webapps) rompr;
- env = myconfig.env.tools.rompr;
+ env = config.myEnv.tools.rompr;
};
shaarli = pkgs.callPackage ./shaarli.nix {
- env = myconfig.env.tools.shaarli;
+ env = config.myEnv.tools.shaarli;
};
dokuwiki = pkgs.callPackage ./dokuwiki.nix {
inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
};
ldap = pkgs.callPackage ./ldap.nix {
inherit (pkgs.webapps) phpldapadmin;
- env = myconfig.env.tools.phpldapadmin;
+ env = config.myEnv.tools.phpldapadmin;
};
cfg = config.myServices.websites.tools.tools;
define('LDAP_USERNAME', '${env.ldap.dn}');
define('LDAP_PASSWORD', '${env.ldap.password}');
define('LDAP_USER_BASE_DN', '${env.ldap.base}');
- define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
- define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
+ define('LDAP_USER_FILTER', '${env.ldap.filter}');
+ define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}');
?>
'';
}];
SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}"
SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}"
SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}"
- SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}"
+ SetEnv SHAARLI_LDAP_FILTER "${env.ldap.filter}"
'';
}];
phpFpm = rec {
define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
- define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
+ define('LDAP_AUTH_SERVER_URI', 'ldap://${env.ldap.host}:389/');
define('LDAP_AUTH_USETLS', TRUE);
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
- define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
+ define('LDAP_AUTH_BASEDN', '${env.ldap.base}');
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
- define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
+ define('LDAP_AUTH_SEARCHFILTER', '${env.ldap.filter}');
- define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
+ define('LDAP_AUTH_BINDDN', '${env.ldap.dn}');
define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
redis_password: null
sites_credentials: { }
ldap_enabled: true
- ldap_host: ldap.immae.eu
+ ldap_host: ${env.ldap.host}
ldap_port: 636
ldap_tls: false
ldap_ssl: true
ldap_bind_requires_dn: true
- ldap_base: 'dc=immae,dc=eu'
- ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
+ ldap_base: '${env.ldap.base}'
+ ldap_manager_dn: '${env.ldap.dn}'
ldap_manager_pw: ${env.ldap.password}
- ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
- ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
+ ldap_filter: '${env.ldap.filter}'
+ ldap_admin_filter: '${env.ldap.admin_filter}'
ldap_username_attribute: uid
ldap_email_attribute: mail
ldap_name_attribute: cn
let
ympd = rec {
config = {
- webPort = "localhost:${env.listenPort}";
+ webPort = "localhost:${toString env.listenPort}";
host = env.mpd.host;
port = env.mpd.port;
};
define( 'YOURLS_DEBUG', false );
define( 'YOURLS_URL_CONVERT', 36 );
$yourls_reserved_URL = array();
- define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' );
+ define( 'LDAPAUTH_HOST', 'ldaps://${env.ldap.host}' );
define( 'LDAPAUTH_PORT', '636' );
- define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' );
- define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' );
+ define( 'LDAPAUTH_BASE', '${env.ldap.base}' );
+ define( 'LDAPAUTH_SEARCH_USER', '${env.ldap.dn}' );
define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' );
define( 'LDAPAUTH_GROUP_ATTR', 'memberof' );
-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
partModule = lib.types.submodule {
options = {